1. Field of the Invention
The present invention generally relates to electronic circuits and, more specifically, to microprocessors operating an external memory. “External memory” is used to designate a memory connected to the processor by communication buses accessible, for example, to a possible hacker.
The present invention more specifically relates to the checking of the integrity (absence of modification between their writing and their reading) of data contained in an external volatile memory for processing by a microprocessor.
2. Discussion of the Related Art
FIG. 1 is a block diagram of an architecture of the type to which the present invention applies. A microprocessor 1 comprises, among others, a central processing unit 11 (CPU) and, in the field of application of the present invention, an element 12 (CHECK) for checking the integrity of data read by the microprocessor from a memory 13 outside of circuit 1. Microprocessor 1 communicates with memory 13 (and other elements not shown) over several buses 14, among which an address bus 141, a data bus 142, and a control bus, not shown. Memory 13 is a RAM, called working memory, in which are stored data enabling the microprocessor to execute a program. These may be variables written and read by processor 1 in an operation session, or program instructions transiting through this work memory from a ROM (not shown) for execution thereof. It is considered that central processing unit 11 and integrity controller 12 are in a secure area (SECURE) of the microprocessor, that is, the data transiting through this area (or remaining within said area) need not be checked as to their integrity. However, memory 13 is considered in a non-secure or open environment (OPEN), which justifies the need to check that data which have been written into memory 13 are effectively identical on reading thereof.
A difference between the written and read data may originate either from a fraud attempt by a possible hacker, or from an incidental malfunction. In both cases, it is useful for microprocessor 1 to be able to detect that the data that it is about to process do not correspond to those that it expects.
A first known solution to check the integrity of the content of a memory read by a microprocessor is known as a CRC (Cyclic Redundancy Check) and comprises the storing, with the content of a block in the memory, of a value representative of this content. This value is then checked on reading to detect possible errors in the memory block content. Such a solution may be efficient to detect incidental errors but is not efficient against a possible hacking, since it is enough for the hacker to know the calculation mode of the value representative of the content to be able to force the system with erroneous data, coming along with a value that the hacker will have himself calculated and which will be admitted by the system.
A second known solution comprises the ciphering of the entire memory content by means of a ciphering algorithm executed by the microprocessor. On reading, the data extracted from the memory are then deciphered by the microprocessor. Such a solution does not prevent the introduction of erroneous data, for example, on a fraud attempt by fault injection into the program execution, since the data or instructions will anyway be deciphered by the processor.
A third solution is based on a calculation of message authentication codes (MAC) or digital signatures, and comprises the calculation of the result of a block ciphering algorithm exploiting, among others, a secret value known by the sole microprocessor.
FIG. 2 very schematically illustrates in the form of blocks the operation of an example of an integrity controller 12 of this type, on writing of a program block (CODE) into memory 13. For simplification, the central processing unit and other microprocessor components have not been shown in FIG. 2.
FIG. 3 illustrates the operation of such an integrity controller on reading of a program block (CODE) from this same memory.
Integrity controller 12 comprises an element 21 (MAC FCT) for calculating an authentication code (signature) MAC from the content CODE of the memory block, its physical address ADDRESS of storage into memory 13, and a key KEY. The address of storage in memory 13 is read from address bus 141 (ADD) and stored, for example, in a temporary register 22 of the integrity controller. The data block to be stored at this address is read from data bus 142 (DATA) and is temporarily stored, for example, in one or several registers 23 of the integrity controller. Key KEY comes from circuits internal to the microprocessor and corresponds, for example, to a secret key modified for each new session (new execution) of the program.
In write mode (FIG. 2), the integrity controller calculates, from the address, the block to be stored, and the key, a code MAC and this code is stored in memory 13 at the same time as the actual code.
On reading (FIG. 3), integrity controller 12 recalculates an authentication code MAC from the read address, the content of the block read from the memory, and the key, then compares (comparator 24—COMP) this code MAC with that contained in memory 13. The result of this comparison provides an indicator (ICF or Integrity Check Flag) to the central processing unit (11, FIG. 1) enabling said unit to take the appropriate measures in case of a voluntary or involuntary error. Said measures are, for example, a blocking of integrated circuit 1, an erasing of the secret data contained in circuit 1, etc.
The above description is functional and the integrity controller is in practice a program executed by the microprocessor by using its usual operators and registers. In particular, the respective sizes of registers 22 and 23 depend on the rapidity of processing of the integrity controller with respect to the needs of the central processing unit. Said registers generally are banks of FIFO-type registers.
A disadvantage of the solution described in relation with FIGS. 2 and 3 is that it is, in practice, dedicated to the checking of the integrity of program instructions and remains unprotected for variable data. Indeed, while the double execution of a code line by a possible attacker is not advantageous in terms of discovery of secret values, the fact of applying, several consecutive times, the same data to an algorithm may enable a hacker to exploit the results to hack certain data. Such is for example the case for a counter value stored in a memory external to the microprocessor. Such a counter used in a loop of an algorithm that a hacker attempts to pirate enables him to force the program to remain in the loop. A lack of integrity will not be detected since the counter value and its signature read from the memory are correct.